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Abstract 

Calculational abstract interpretation, long advocated by Cousot, is a 
technique for deriving correct-by-construction abstract interpreters 
from the formal semantics of programming languages. 

This paper addresses the problem of deriving comct-hy-verified- 
construction abstract interpreters with the use of a proof assistant. 
We identify several technical challenges to overcome with the aim 
of supporting verified calculational abstract interpretation that is 
faithful to existing pencil-and-paper proofs, supports calculation 
with Galois connections generally, and enables the extraction of 
verified static analyzers from these proofs. 

To meet these challenges, we develop a theory of Galois connec¬ 
tions in monadic style that include a specification effect. Effectful 
calculations may reason classically, while pure calculations have 
extractable computational content. Moving between the worlds of 
specification and implementation is enabled by our metatheory. 

To validate our approach, we give the first mechanically verified 
proof of correctness for Cousot’s “Calculational design of a generic 
abstract interpreter.” Our proof “by calculus” closely follows the 
original paper-and-pencil proof and supports the extraction of a 
verified static analyzer. 

Keywords Abstract interpretation, Galois connections, depen- 
dently typed programming, mechanized metatheory, static analysis 

1. Introduction 

Abstract interpretation [9, 10] is a foundational and unifying theory 
of semantics and abstraction developed by P. Cousot and R. Cousot, 
which has had notable impact on the theory and practice of pro¬ 
gram analysis and verification. Traditionally, static analyses and 
verification frameworks such as type systems, program logics, or 
constraint-based analyses start by first postulating a specification 
of an abstract semantics. Only afterward is this abstraction proved 
correct with respect to the language’s semantics. This proof estab¬ 
lishes postfacto that the analysis or logic is an abstract interpretation 
of the underlying language semantics. 

P. Cousot has also advocated an alternative approach to the de¬ 
sign of abstract interpreters called calculational abstract interpreta¬ 
tion [7, 8], which involves systematically applying abstraction func¬ 
tions to a programming language semantics in order to derive an ab¬ 
straction. Abstract interpretations derived in the calculational style 
are correct by construction (assuming no missteps are made in the 
calculation) and need not be proved sound after the fact. 

This paper addresses the problem of mechanically verifying the 
derivations of calculational abstract interpretation using a proof as¬ 
sistant. We identify several technical challenges to modelling the 
theory of abstract interpretation in a constructive, dependent type 
theory and then develop solutions to these challenges. Paramount 
in overcoming these challenges is effectively representing Galois 
connections and maintaining a modality between specifications and 
implementations to enable program extraction. To do this, we pro¬ 
pose a novel form of Galois connections endowed with monadic 



Figure 1: Relations between classical Galois connections and their 
Kleisli and constructive counterparts. 


structure which we dub Kleisli Galois connections. This monadic 
structure maintains a distinction between calculation at the specifi¬ 
cation level, which may be non-constructive, and at the implemen¬ 
tation level, which must be constructive. Remarkably, calculations 
are able to move back and forth between these modalities and veri¬ 
fied programs may be extracted from the end result of calculation. 

To establish the adequacy of our theory, we prove it is sound and 
complete with respect to a subset of traditional Galois connections, 
and isomorphic to a space of fully constructive Galois connections, 
diagrammed in figure 1. To establish the utility of our theory, we 
construct a framework for abstract interpretation with Kleisli Galois 
connections in the dependently typed programming language and 
proof-assistant, Agda [20]. To validate our method, we re-derive 
Cousot’s generic compositional static analyzer for an imperative 
language by abstract interpretation of the language’s formal seman¬ 
tics. Consequently we obtain a verified proof of the calculation and 
extract a verified implementation of Cousot’s static analyzer. 

Contributions This paper contributes: 

1. a framework for mechanically verified abstract interpretation 
that supports calculation and program extraction, 

2. a theory of specification effects in Galois connections, and 

3. a verified proof of Cousot’s generic abstract interpreter derived 
by calculus. 

To supplement these contributions, we provide two artifacts. The 
first is the source code of this document, which is a literate Agda 
program and verified at typesetting-time. For presentation purposes, 
it assumes a few lemmas and is less general than it could be. The 
second artifact is a stand-alone Agda program that develops all of 
the results in this paper in full detail, including the mathematically 
stated theorems and lemmas. Claims are marked with a when¬ 
ever they have been proved in Agda. (All claims are checked.) The 
full development is found at: 

https://github.com/plum-umd/mvcai 

Although largely self-contained, this paper assumes a basic fa¬ 
miliarity with abstract interpretation and dependently typed pro¬ 
gramming. There are excellent tutorials on both ([8, 11] and [5,21], 
respectively). 
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2. Calculational Abstract Interpretation 

To demonstrate our approach to mechanizing Galois connections 
we present the calculation of a generic abstract interpreter, as orig¬ 
inally presented by Cousot [7]. The setup is a simple arithmetic ex¬ 
pression language which includes a random number expression, and 
is otherwise standard. The syntax and semantics is given in figure 2. 

A collecting semantics is defined as a monotonic (written 
predicate transformer using _ H _ i—> 

eval e exp —> p(env) ^ p{val) 
eval[e]{R) := [v \ 3p e R : p e v] 

In the setting of abstract interpretation, an analysis for a program 
e is performed by: (1) defining another semantics eval'^, where evafi 
is shown to soundly approximate the semantics of eval, and (2) ex¬ 
ecuting the evaP[e] semantics and observing the output. There are 
many different methods for arriving at evaP, however the calcula¬ 
tional approach prescribes a methodology for defining evaP through 
calculus, the results of which are correct by construction. 

To arrive at evafl through calculus we fist establish an abstrac¬ 
tion for the domain p(env) ^ p{val), which we call env^ ^ valK 
After abstracting the domain, we induce a best specification for any 
abstract semantics evaf e env'^ ^ vaf. Then we perform calcu¬ 
lation on this specification to arrive at a definition for evalK Key 
in this methodology is the requirement that evaP be an algorithm, 
otherwise we would just define eval^ to be the induced best specifi¬ 
cation and be done. 

We induce the best specification for eval by: (1) constructing 
an abstraction for values vaf and proving it is a valid abstraction 
of p{val), (2) constructing an abstraction for environments emf 
and proving it is a valid abstraction of p(env), (3) lifting these 
abstractions pointwise to env'^ ^ vaP and proving it is a valid 
abstraction of p(env) ^ p(val), and (4) inducing a‘^^{eval) as the 
best abstraction of eval using the results from (3). 


Abstracting values We pick a simple sign abstraction for vaP, 
however our final calculated abstract interpreter will be fully 
generic to vaP, as is done in Cousot’s original derivation [7]. 

v^ e vaP := 0, +, T, ±} 

The set vaP has the partial ordering ± C - || 0 || H- C T where 
_ II _ is notation for incomparable. 

Justifying that vaP is a valid abstraction takes the form of a 
Galois connection: 

p{val) < ) vaP. 

Galois connections are mappings between concrete objects and ab¬ 
stract objects which satisfy soundness and completeness properties. 
For vaP, the Galois connection with p(val) is defined: 


e p{val) ^ vaP 
a^iV) :=-if3pe V:o<0 
U 0 ifO e V 
U H-if3peV:o>0 


e vaP ^ p{val) 
y^(-) := {c I c < 0) 
yfO) := 10 } 
y’’{+) := If I c > 0) 
y^iT) := Z 
y'’(±) := 0 


(f is called the abstraction function, which maps concrete sets of 
numbers in pival) to a finite, symbolic representations in vaP. y” 
is called the concretization function, mapping abstract symbols in 
vaP concrete sets in p{val). 

This Galois connection is extensive', properties of values in vaP 
imply properties of related concrete values in p(val). It is reductive'. 
d° is the best possible abstraction given y'’. 


n e lit 

= Z 

integer literals 

X e var 


variables 

u e unary 

= +1- 

unary operators 

h e binary 

= +1 - 1 X 

1 % binary operator 

e e exp 

= n 

integer literal 


1 

variable 


1 rand 

random integer 


1 u e 

unary operator 


1 eb e 

binary operator 

V e val := Z 


values 

I I" e unary —> 

(val val) 

unary op denot. 

I e binary — 

(val X val 

val) binary op denot. 

p e env := var val 

environments 

_ 1- _ e p(env x exp x val) 

eval. relation 



n G Z 

p h n n 

p h xi-^ p(x) 

p h rand i-^ n 

p h e V 

phei 

V^V-^ p h £2 ^2 

p h uei-^ M"(r’) 

p h Ci be2 M^^’r/^’2) 


Figure 2: Syntax and semantics 


Lemma 1 (extensive”)/ y” o a” is extensive, that is: 

V(V e p(val)).V Q y”(a”(V)). 

Lemma 2 (reductive”)/ a” ° y” is reductive, that is: 

'i(v'^'. vaP).a”(y”(Tp)) C v^. 

Abstracting environments We abstract p(env) with env^: 
p^ e env^^ := var vaP 

Justifying that is a valid abstraction is done through a Galois 

connection p(env) < ^ env^: 

a” '. p(env) ^ env^ 
a‘(R) := A(x).a”({p(x) \ p e R]) 

Y '. env^ ^ p(env) 
yfp^) := [p I V(x).p(x) e y”(pHx))] 

Lemma 3 (extensive”)/ a” ° y” is extensive, that is: 

V(R e p(env)).R c y‘(a‘(R)). 

Lemma 4 (reductive”)/ y” o a” is reductive, that is: 

e env^).a”(y”(p^)) C p^. 

Abstracting the function space To abstract p(env) ^ p(val), we 
abstract its components pointwise with env'^ ^ vaP, and justify the 
abstraction with another Galois connection. 

a”^” '. (p(env) ^ p(val)) ^ (env^ ^ vaP) 
a”^”(f) :=a”ofoy” 

y”^” : (env^ ^ vaP) (p(env) ^ p(val)) 

•= y” ° Y ° a” 

Lemma 5 (extensive”^”)/ y”^” o a”^” is extensive, that is: 

V(/ e p(env) ^ p(val)).f C y”^”(a”^”(f)). 
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Numeric literals 

a’’({v I 3p e 'y’'{p'^): p ni-^ v}) 

= a^m) 

= eval^n]{p^) 

Variable Reference 

a"({v I 3p e }’’'(p^): p v]) 

= a^itpix) I p e f{p»)]) 

= cf^^iAiRUpix) I p e Rl)(p#) 

C pHx) 

= evat^[x]{p^) 

Unary operators 

a^{v\3p e y’'{p'> : p\- uei-^v) 

= a'’(||[uj“(y)|3p e y’^(p^) '■ p h e h^v]) 

C a^iiluriv) I V e y^a^iiv' \ 3p e /(p#) : p h e z>l)))) 
= a^iiluriv) I V e y^{a‘‘^’’{eval[e])(pi))]) 

C a^{[luf‘{v) I V e y^evalHe]{p^m 
= a'’^”(A(y).|InI“(f) I V e y))(c™/#[e](p#)) 
c |[nj"#(era/#[e](p#)) 

= evafi[u e]{p^) 


I definition of p h n ti 5 
I by defining ezifl/l^[n](pl^) := a''(|n)) 5 


I definition of p h x ti 5 
I definition of a'’"*'’ 5 

I Fact: a'^'’(A(p).jp(x)|p 6 R)) C (A(p#).p#(x)) 5 
I by defining etifl/l^[x](pS) := p#(x) 5 


I definitionofphuei-^tJ 5 
I oA’ monotone and y^ » dF extensive 5 
\ definition of and eval[e] 5 

I oF monotonic and inductive hypothesis for e 5 
\ definition of 5 

1 by assuming a''“’''(A(y) ^ I|[uJ''(e') | v e y)) C 5 

\ by defining evafi[u e](p^) := [ul" ^{eva0[e]{p^)) 5 


Figure 3: Cousot’s classical calculation of the Generic Abstract Interpreter 


Lemma 6 (reductivd^”)/ ° is reductive, that is: 

e env'^ ^ val'^).a‘^^^{y‘^^^{f'^)) C p. 

Inducing a best specification A best specification for any abstrac¬ 
tion of eval is induced from the Galois connection 

p(env) ^ p(val) < > env^ ^ val^ 

as a‘^’’(eval), or a” °evaloy‘^. An abstract semantics can then be 
shown to satisfy this specification through an ordered relationship 
a‘^~”’(evar) C evaP. 

The process of calculation is to construct evaP through a chain of 
ordered reasoning: aF~'’’{eval[e]) = a” ° eval[e] °y‘ Q ... C evaP[e] 
such that evafi is an algorithm, at which point we have defined 
evafi[e] through calculation. 

2.1 Calculating the Abstract Interpreter 

The calculation of evafi begins by expanding definitions: 
a‘^’’{eval[e]){p^) 

= a’’(eval[e](y''(p^))) I definition of a'’”"' 5 

= d°{[v I 3p e y''{p ^): p I- e i—> v]) I definition of eval[e] 5 

In case y’’(p^) = 0, then have a‘^^(eval[e])(p^) = a^{0) = ±. Oth¬ 
erwise, we proceed by induction on e, assuming y''(p^) is nonempty. 

In figure 3, we show the calculations for literals, variables, and 
unary operator expressions. This calculation is generic, meaning it 
is parameterized by implementations for abstracting random num¬ 
bers, and unary and binary operators. The parameters for the unary 
operator case are an abstract unary denotation e vaP ^ vaP 
and a proof that it abstracts concrete unary denotation: 

a''“’''(A(y).{[[«]]"(») I V e V))(tt*) C [[wF*(^’*) 

The calculation for the remaining forms can be found in Cousot’s 
notes [8, lec. 16]. This calculation serves to contrast the constructive 
calculation we develop in section 4.5, which is more amenable to 
verification and extraction in Agda. 


3. Mechanization: The Easy Parts 

We aim to mechanize calculations of the style presented in figure 3. 
Some parts are easy; we start with those. 

Figure 4 gives the syntax and semantics in Agda. Variables are 
modelled as an index into an environment of statically known size; 
otherwise, the syntax of exp translates directly. The meaning of 
unary operators is given by a function, while binary operators 
are defined relationally, e to account for the partiality of 

[/] and [%], which take elements of Z'*': integers paired with a 
proof of being non-zero. Environments are modelled intentionally 
as a list of values, rather than extensionally with Agda’s function 
space. Environments are statically well-formed to contain a value 
mapping for every variable, resulting in a total lookup function [_]. 
Partiality is eliminated from the definition of environment lookup 
by static well-formedness. The relational semantics is defined using 
a dependent inductive type, _ h _ i-^ _. 

To encode eval, we create powersets using characteristic func¬ 
tions, assuming set-theoretic primitives (defined later), where the 
judgement x e m\<.[p]{p) holds iff p{x) is inhabited. 

p : Set — > Set 

ntik[j)] : V |A) —> (A ^ Set) p A 

_e_ : V (A) ^ A ^ A ^ Set 

The eval function is then defined using an existential type inside of 
a characteristic function: 

eval[_] : V |T) —» expT — » p (envT) — » p val 

eval[ e ] R = mkijs] {A v ^ 3 p st {p e R) X {p h e v)) 


4. Constructive Abstract Interpretation 

The Galois connections presented in the section 2 are not immedi¬ 
ately amenable to encoding in Agda, or constructive logic in gen¬ 
eral. The heart of the problem is the definition of a": 

a^{V) := 

U 
U 
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val = Z] 
size = Isf 

data var : size —> Set where 
Zero :V{ri ^ var(Sucr) 

Sue : V {J"} —> var J" —> var (Sue J") 

data unary : Set where [+] [-] : unary 

data binary : Set where [+] [—] [x] [/] [%] : binary 

data exp (F : size) : Set where 
Num : Z —> exp J" 

Var : var J" —> expF 

Rand : exp i" 

Unary[_] : unaryexp J" ^ exp J" 

Binaryf ] : binary expi" —> expF —> expF 

J : unary val — > val 

I [+] F = sue 
I H F = pred 

data _eLF_ ■ val —» binary 
[+] • V It’i ^ 2 ) 

[-] : V (zTi V2] 

[x] : V (zTi V2] 

I/] : V {vi V 2 \ 

{p :v2f Zero) - 
[%] : V [v-i tr 2 l 

{p-.V2^ Zero) - 

data env : size —» Set where 
n : env Zero 

: V |J’| —> val — » emF — » env (Sue J’) 


• val 

1 X val —> 

Set where 


(Z’l 

+ V2) 

elWf 

(Z’l / 02) 

(Z’l 

-V2) 

el H t 

(I'l / 02) 

(Z’l 

X V2) 

elMF 

(I'l / 02) 

(Z’l 

/ mk[Z+; 

1 r-z V) el 1/] 

, 02) 

(Z’l 

% mk[Z+] V2 p) el [%] ] 

1'' (I’l / 02) 


JJ : V |r) ^ envT ^ varT ^ va 
(zr :: p) [ Zero ] = v 
(zr::p)[Sucx \ = p[x\ 


ta h 1—> 

{J"} : env J" —> exp i" 

—> val —> Set where 


Num : 

V [pn] 

p h Num n 

n 

Var : 

V ipx] 

p Var X 

l-^plx 

Rand : 

V [pn] 

p h Rand 

n 

Unary : 

V {poevi V2] 




i 

III 

0 

^ p 1- e 

Vi 



^ p 1 - Unary] 0 ] e 

V2 

Binary : 

V Ip 0 Cl 02 V2 zisl 




^ 03 el 0 F (rii , 111) 

^phei 

Vi 



ph 62 

V2 



p h Binary! 0 ] Ci £2 



Figure 4: Syntax and semantics in Agda 


A literal translation of d° to constructive logic would require decid¬ 
ing predicates such as Bp e V : tr < 0 in order to return a value of 
type val^, however such predicates are in general undecidable. 

There are a number of known options for encoding a”, each of 
which has shortcomings for our goal of extracting computation from 
the result of a verified calculation. 

Non-solution 1: Admit Excluded Middle One option to defining 
d” is to to postulate the law of excluded middle: 

excluded—middle : V (P : Set) — > P 1 +) (“' P) 


This axiom imbues the logic with classical reasoning, is logically 
consistent, and would allow us to perform case analysis on the 
existential predicate Bn e 1/ : ti < 0 to complete a definition for 
a". This approach has the drawback that definitions no longer carry 
computational content, and cannot be extracted or computed with 
in general. 

Non-solution 2: Work in Powerset Another option is to always 
work inside the powerset type p, meaning d’ would have type 
p{val) p{val^). This approach also allows for a successful defi¬ 
nition of a”, but again suffers from not being a computation. Func¬ 
tions at type p{val) p{val^) cannot be executed to produce values 
at type val^, which is the end goal. 

Non-solution 3: Only use Concretization The state of the art 
in mechanizing abstract interpreters is to use “y-only” encodings 
of soundness and completeness properties [14]. However, this ap¬ 
proach has a number of drawbacks: it does not support calculation, 
it gives the engineer no guidance as to whether or not their y is sen¬ 
sible (sound and complete w.r.t. a), and it is less compositional than 
the Galois connection framework. 

4.1 Our Solution: A Specification Effect 

The problem of encoding Galois connections in constructive logic 
exists with an apparent dichotomy: if the construction is too classi¬ 
cal then one cannot extract computation from the result, and if it is 
too constructive it prevents the definition of classical structures like 
Galois connections. We find a solution to this problem through a 
new Galois connection framework which marks the transition from 
constructive to classical with a monadic effect. Classical and con¬ 
structive reasoning can then be combined within the same frame¬ 
work, and classical constructions can be promoted to constructive 
ones after they are shown to be effect-free. 

We find a solution to the problem of encoding calculational 
abstract interpretation in constructive logic by reformulating the 
definition of a Galois connection into the powerset Kleisli category. 
This approach: 

1. is rooted in the first principles of Galois connections, 

2. allows for the definition of Galois connections which would 

otherwise require classical reasoning (like excluded middle), 

3. supports abstract interpretation by calculus, and 

4. allows for the extraction of algorithms from calculations. 

The transition to the powerset Kleisli category results in abstrac¬ 
tion and concretization mappings which have a specification effect, 
meaning they return a classical powerset value, which we model 
non-constructively. The laws that accompany the Galois connec¬ 
tion will then introduce and eliminate this effect. Combined with 
monad laws, which also introduce and eliminate monadic effects, 
we are able to mix constructive and classical reasoning and extract 
an algorithm from the result of calculation, after all introduced ef¬ 
fects have been eliminated. 

4.2 Kleisli Galois Connections 

Kleisli Galois connections are formed by re-targeting the classi¬ 
cal Galois connection framework from the category of posets to 
the powerset Kleisli category. The morphisms in this category are 
monotonic monadic functions A <-*■ p(B) rather than their classical 
counterparts A ^ B. Powersets p(A) are required to be monotonic 
themselves, meaning they are downward closed, i.e. X e p{A) is 
mono tonic if and only ifV(x,y).xeX—>yQx—>yeX. 

The reflexive morphism in the powerset Kleisli category is 
return, rather than id, where return is defined as the downward 
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Numeric literals 


a"’" * {emrU] * {y'"’'{p*))) 


= a’"" * (jz; 1 Bp e y""'(ph -p^nv^v]) 

1 definition of ] 

c cA"" » (returnin)) 

1 definition of p h n zi ] 

= a'""(n) 

1 monad right unit ] 

= return(rf{n)) 

1 induced if from a'"" ] 

= retum{eval'"'^[n]{p'^)) 

1 by defining ezifl/”l^[n](pl^) :=if{n) ] 

Variable references 


0”" * [evarix] * {y”"'(p'i))) 


= a'"" * ((z> 1 Bp e y'"’'{p^) :phxr^v]) 

1 definition of ezifl/^Ix]* ] 

= a“'’*((pW|pey”V)l) 

1 definition ofphxi-^v ] 

= a'"" * ((A(p).return(p(x )))» {y'"’'{p^))) 

1 monad unit and associativity ] 

= cf^'"'’(A(p).return(p(x)))(p^) 

1 definition of ] 

C return(p^x)) 

1 Fact: a‘^'"'’(A(p).return(p(x))) C {A{p'^).return{p'^{x))) ] 

= retum(eval”^x](p^)) 

1 by defining eual'"^x]{ff) := p^[x] ] 

Unary operators 


a'”" * {emru e] * {y’"’'{p*))) 


= a’”" * (|[[nF(z;) 1 Bp e y'"\ph :pher^v]) 

1 definition of ezifl/^Iu e]» ] 

= a'"" » ((A(v).return(luJ"(v))) » (|z; | Bp e y'"’'{p^) : p h ei—> z;))) 

1 monad unit and associativity ] 

C a'"" » ({A(v).return(lu^" (v)))* 


(jz; 1 z; e y'"" » {a”" * ({v' | Bp e y'"’'{p^) :pher^ z;')))!)) 

1 y'"" <j> a'"" extensive 5 

= a'"" * {{A{v).return(luY{v))) » (|z; | z; e y'"" * {a‘^"'"{eval'"[e]){pi))])) 

1 definition of and ezifl/^Ie] ] 

c a”" * {{A{v).return{luJ"{v))) * (y’"" * (return(eval’"^e](p^))))) 

1 monotonicity of a", return and », and IH for e ] 

= a"^'""{A{v).retum{luJ"{v))) * {return{eml'"'^[e]{p'^))) 

1 definition of and monad associativity ] 

C (Ap).return(luJ“^v^))) * (return(eval'"^e](p^))) 

1 by assuming a'’“*”'’(A(zi).retura([[uJ"(^’)))(^’^) C return([[izj"^(^’^)) 5 

= return{luj"'^{eml'"'^[e]{p'^))) 

1 monad right unit ] 

= retum(eval'"'^[u e]){p^) 

1 by defining ezifl/”li[u e](pli) := luf^{eual'"^p^)) ] 


Figure 5: Our constructive calculation of the Generic Abstract Interpreter 


closure of the singleton set: 

return e V(A).A ^ p(A) 
return{x) = [y \ y Q x] 

The monadic bind operator, which we call extension and notate 
in the tradition ofMoggi [18], is defined using a dependent sum, 
or existential type: 

e V(A,B).(A ^ p{B)) ^ {p{A) ^ p{B)) 
f^(X) = \y\3xeX:yef(x)] 

To establish that p forms a monad with return and _* we prove 
left-unit, right-unit and associativity laws. 

Lemma 7 (j3-monad)/ p forms a monad with return and mean¬ 
ing the following properties hold: 

left-unit : '^{X).return * (X) = X 
right-unit: V(/,x)./ * {return{x)) = f{x) 
associativity : '^{f,g, X).g * (f * (X)) = (A(x).g * (f(x))) * (X) 

Composition in the powerset Kleisli category is notated _ O _ 
and defined with 

_0_e V(A, B,CUB ^ piO) (A ^ piB)) A ^ piC) 
(gOf)(x) = g*(f(x)) 

ytn 

A Kleisli Galois connection A ^ > B, which we always notate 

with superscripts a’" and is analogous to that of classical Galois 


connection but with monadic morphisms, unit and composition: 

a” e A ^ p(B) 
y” eB^ p{A) 

extensive'" : y{x).return{x) Q y'" * {a'”{x)) 
reductive'" : '^{x^).a'" * (y'"(xl^)) C return{x^) 

The presence of return as the identity is significant: return 
marks the transition from pure values to those which have a “speci¬ 
fication effect”, extensive” states that y’"g>a’" is a pure computation 
at best, and reductive'" states that O y is a pure computation at 
worst. The consequence of this will be important during calculation: 
appealing to extensive'" and reductive'" will introduce and eliminate 
the specification effect, respectively. 

4.3 Lifting Kleisli Galois Connections 

The end goal of our calculation is stated as a partial order relation¬ 
ship using a classical Galois connection: a‘^'’{eval) C eval^. If we 
wish to work with Kleisli Galois connections, we must build bridges 
between Kleisli results and classical ones. This bridge is stated as 
an isomorphism between Kleisli Galois connections and a subset 
of classical Galois connections that hold computational content, as 
shown in section 1 figure 1. In addition to the Galois connections 
themselves, we map proofs of relatedness between Kleisli and clas¬ 
sical Galois connections, so long as the classical result is of the form 
where / and p are monadic functions. 

In order to leverage Kleisli Galois connections for our calcu¬ 
lation we must recognize eval as the extension of a monotonic 
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monadic function eval”'. Recall the definition of eval: 


eval[e] e p{env) ^ p{val) 
eval[e]{R) := {v \ 3p e R : p e v] 

This is the extension of the monadic powerset function: eval’”: 
eval'”[e] e env p{val) 
eval'”[e]{p) := \v \ p h e i—> v] 
where, by definition of 

eval’^le] * (R) = {o | 3p e R : p h e i—> i;) = evalle](R) 


This observation enables us to construct a Kleisli Galois connection: 


env —> p{val) : 


p{va&) 


and calculation 

(f^"‘’’{eval[e]) C evafi[e\, 

and lift the results to classical ones automatically via the soundness 
of the mapping from Kleisli to classical. Furthermore, we know that 
any classical Galois connection and classical calculation of eval^ 
can be encoded as Kleisli via the completeness of the Kleisli to 
classical mapping. We give precise definitions for soundness and 
completeness in section 7. 


4.4 Constructive Galois Connections 

When performing calculation to discover eval’”'^[e] from the in¬ 
duced specification ”(eval’”{e^, we will require that the result 
be an algorithm, which we can now state precisely as having no 
monadic effect. The goal will then be to calculate the pure function 
evaV^^e] e env^ ^ vafi such that 

a‘~’'"’’(eval'”[e])(p^) C return(eval”'\e](p^)) 

However, at present, such a calculation will be problematic. Take 
for instance, the definition we would like to end up with for numeric 
literal expressions: 

eval'”\n](p^) := a"”’(n) 

This defines the abstract interpretation of a numeric literal as the 
immediate lifting of that literal to an abstract value. However this 
definition is not valid, since a'"” e val ^ p{vafi) introduces a 
specification effect. The problem becomes magnified when we wish 
to parameterize over a’””, as Cousot does in his original derivation. 

One idea is to restrict all a’” mappings to be pure, and only pa¬ 
rameterize over abstractions for val which have pure mappings. We 
take morally this approach, although later we show that it is not a 
restriction at all, and arises naturally through an isomorphism be¬ 
tween Kleisli Galois connections and those which have pure ab¬ 
straction functions, which we call constructive Galois connections. 
This isomorphism is visualized on the right-hand-side of figure 1, 
and proofs are given in section 7. 

A constructive Galois connection is a variant of Kleisli Galois 
connection where the abstraction function a”' is required to have 
no specification effect, which we call rj following the convention 
of [19, p. 237] where it is called an “extraction function”: 

T]: A ^ B 
y” p{A) 

extensive” : return{x) C y * return{Tj{x)) 
reductive”: {A{x).return{q{x))) * y{x^) C return{x^) 


4.5 Calculating the Interpreter, Constructively 

We now recast Cousot’s calculational derivation of a generic ab¬ 
stract interpreter in the setting of Kleisli Galois connections. In the 
next section we show how the constructive version is translatable to 
Agda. As before, we only show numeric literals, variable reference 
and unary operators; see our full Agda development for constructive 
calculations of the remaining cases. 

Recall the constructive calculation goal, which is to discover a 
pure function evaV”'^ such that 

a”^’"’’{eval"‘){p^) C return(evar'^(p^)) 

This goal makes it clear that we are starting with a specification 
eval’” : env ^ p(val), and working towards a pure computation 
eval"’^ : env^ <->■ valK The process of calculation will eliminate the 
“specification effecf’ from the induced specification a”^ ”(eval’”) 
using monad laws and the reductive and expansive properties of 
Kleisli Galois connections. 

The setting assumes Kleisli Galois connections for the abstrac- 

yttiv ytne 

tions of values val , val^, environments env ^ , env^ 

V e 

and their induced classical Galois connection for the monadic 

yC—* V 

function space val ^ p(env) < , val^^ ^ p(env^). When 

needed we replace a’"{x) with an equivalent pure extraction func¬ 
tion return(r](x)) using the isomorphism between Kleisli and con¬ 
structive Galois connections. 

We begin calculating from the specification od^ ”{eval’”) by 
unfolding definitions: 

{eval"’ [e] )(p^) 

= {a"’” eval’”[e] y’”’')(p^) I definition of a'"*”'’ 5 
= a’”” * (eval’”[e] * (y""'(pl^))) I monad associtivity 5 

and proceed by induction on e. The calculations for numeric literals, 
variables and unary operators are show in figure 4. The parameters 
for the unary operator case in the constructive setting are an abstract 
unary denotation e val^ ^ vaP and a proof that it abstracts 
concrete unary denotation: 

a’’~’'"”(A{v).return(][u]l“{v))){v^) C return(^uYHtt^)) 

The biggest difference between our constructive derivation and 
Cousot’s classical derivation is the presence of monadic unit return 
and extension operator In the process of calculation, monadic 
unit and associativity laws are used in combination with extensive 
and reductive properties to calculate toward a pure value, at which 
point the result is both a pure computation and an abstraction of 
eval[e\ simultaneously by construction. 

5. Galois Connection Metatheory in Agda 

We now encode our constructive calculation of the Generic Abstract 
Interpreter in Agda, both to verify the results mechanically and to 
extract an executable version of the resulting abstract interpreter. 

We mechanize the calculation of the interpreter first by devel¬ 
oping a theory of posets, its monotonic function space, and a non¬ 
constructive powerset type, which we prove is a monad. Then we 
develop theories of classical, Kleisli and constructive Galois con¬ 
nections, as well as their soundness and completeness relationships. 
Finally, we embed the constructive calculation in Agda, arriving at 
at an executable algorithm, and lift its correctness property to the 
classical correctness criteria initially specified by Cousot. 


We can now define the abstract interpretation for numeric literals 
as: 

eval’”^[n]{p^) := rf(n) 

which is a pure computation that can be extracted and executed. 


5.1 Posets in Agda 

We begin by defining PreOrd, a relation which is reflexive and tran¬ 
sitive. PreOrd is a type class, meaning top-level instance definitions 
will be automatically selected by Agda during type inference. 
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record PreOrd {A : Set) : Set where 
field 

: A —> A —> Set 
xRx'':<'’ : V {x} —> X :< X 

\xyz] ^y<z-> x<y ^ x<z 

We then define posets in Agda: 

data POSet : Set where 

If : (A : Set) ^ ||PO : PreOrd A)) ^ POSet 

The double curly brackets around PO indicate that the argument 
should be inferred through type class resolution, which we rely on 
heavily in our development. 

To construct a POSet (rather than the builtin Set), we create 
another datatype (( », which selects the domain of a POSet. 

dom : POSet — » Set 
dom (tA||P01)) = A 

data ((_)) (A : POSet) : Set where 
T(J:domA^«A» 

The reason for introducing a new datatype ((_» is purely technical; 
it allows us to block reduction of elements of D A until we witness 
its lifting from a value x : dom A into T { ^ • POSet A. 

Next, we induce a partial order on POSet from the antisymmetric 
closure of the supplied pre order lifted to elements of (( »: 

[ ]_:<'^dom^_ : V (A : POSet) —» dom A —» dom A —> Set 
[ D A (|PO|) ] X ^'"dom"' y = x<y 

data _E_ |A : POSet) : (( A )) — » (( A )) — » Set where 

K) : V (x y : dom A] —> [ A]x <''dom'' y—»T(x)c'f{y) 

This definition of E is designed to also block reduction until the 
liftings of J and y are likewise witnessed through pattern matching. 
We induce equivalence as the antisymmetric closure of _ E . 

data |A : POSet) (x y : (( A ))): Set where 
xQy^yQx^x^y 

We prove reflexivity, transitivity and antisymmetry for _ E _, as well 
as reflexivity, transitivity and symmetry for _ 

xRx''E"' : V (A : POSet) jx : (( A ))) —» x E x 
_Q''E''_ : V |A : POSet) |aryz:((A)))^yEz—rxEy^xEz 
m''-"' : V |A : POSet) |xy:((A)))^a:Ey^yEa:^a:=:y 
xRx'"=:"' : V jA : POSet) |xy:((A)))^x=:y^xEy 

: V (A : POSet) |xyz:((A)))^y=:z—»x = y^x = z 
Tx:'' : V |A : POSet) [xy : A])] —> x x:y ^ y x: x 

Now we can define the two most important posets: the function 
space and powerset. 

5.2 Monotonic Functions in Agda 

To construct a poset for monotonic functions we carry proofs of 
monotonicity around with each function. 

data mon (A B : POSet) : Set where 
mk[mon]:(/:«A»^«B»)^ 

{f-proper :Vjxy)—»xEy—i/xE/y)—» mon A B 

The PreOrd for mon is the pointwise ordering of E: 

data _:<'"mon^_ |A B : POSet) : mon A B —> mon A B —> Set where 
T(_> : V 1/ : (( A )) ^ (( B ))) [f-proper [xy]-> xQy-> f xQ f y\ 


1^: «r4» ^ ((B ») {g-proper:V \xy\ ^ x^y ^ gxQgy] 

^ (V (x) ^ / x E g x) 

^ mk[mon] / {f-proper] <'"mon'' mk[mon] g [g-proper] 

We lift mon to a POSet with => : 

^ : POSet — » POSet — > POSet 
A => B = ■jj' (mon A B) 

Application in =?■ is • : 

: V (A B : POSet) ^ (( A B » ^ (( A » ^ (( B » 

"K mk[mon] / {f-proper] ) ■ x = f x 

We define a helper function for creating values in => _ which 
require no monotonicity proof (which we use for demonstration 
purposes only): 

mk[=»] : V (A B : POSet) ^ ((( A » ^ (( B ») ^ (( A ^ B » 
nik[=^] / = T( mk[mon] / (f— proper) ) where 

postulate f-proper :V{xy]^xQy^fxQfy 

For example, composition is defined as _© : 

_©_ : V |A B C : POSet) ^ (( B ^ C » ^ « A => B » ^ (( A ^ C » 
gef= mk[^] {Ax^g-iJ -x)) 


5.3 Monotonic Powerset in Agda 

We define powersets as monotonic characteristic functions into 
Agda’s Set type. 

data pow (A : POSet) : Set where 
mk[pow] : (cp : (( A )) —» Set) —» 

\(p-proper iVjxy)—»yEx—icpx^yiy)^ pow A 

Whereas m k[=>] / [f-proper] constructs a monotonic function from /, 
mk[p] (p \q)-proper] constructs a set from a monotonic characteristic 
function p. Antitonicity of the argument to p in the statement of 
(p-proper is required to ensure sets are downward closed. 

The preorder for pow is implication: 

data _:<'^pow"'_ (A : POSet) : pow A —» pow A —> Set where 

T(_> : V |(pi : (( A » ^ Set) [ep-^-proper \xy] ^ y Qx-> ep-^^x-> ep-^ 
Wz : « ^ ^ Set) [<p2-proper [xy] ^ y Qx ^ cp2X ^ (PiV) 

(V \x] -KpiX->p2X) 

mk[pow] (pi [cpi-proper] ^'"pow'' mk[pow] p2 {(p2~P^oper] 

We lift pow into the POSet type as p. 

p : POSet ^ POSet 
A = D (pow A) 

The set-containment judgement is _ e _. 

_e_ : V |A : POSet) ^ (( A » ^ (( A » ^ Set 
X e T( mk[pow] qj [p-proper] ) = p x 

And like functions we provide a cheat for creating monotonic sets 
without the burden of monotonicity proof 

rok[p] : V |A : POSet) ^ ((( A » ^ Set) ^ (( A » 
mk[fl] p = '[( mk[pow] p [p-proper] } where 

postulate ip-proper :'r/[xy]^yQx^px^py 
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record {A B : POSet) : Set where — Classical 
field 

a[_] : « A ^ B » 
y[J : « B => A » 
extensive[J : V {x : A »} 

^ X c yU • («□ • x) 
reductive[_] : V B ))) 

^ «U ■ (yU ■ C 

record (A B : POSet) : Set where — Kleisli 

field 

a-^UiiA^pB}} 
y-U:«B^SjA» 
extensive"'U : V |x : « A ») 

^ return • x C y'"[_] * ■ («”'[_] • x) 
reductive"'[J : V {x# : <( B ») 

^ ■ x^) C return • x^ 


record (A B : POSet) : Set where — Constructive 
field 

r/U : « A =» B » 
y"L]:«B^S5r4» 
extensive^L] : V |x : {( A ))) 

^ return • x C y‘'[_] * ■ (pure • ;;[_] • x) 
reductive‘'[_] : V : {( B ))| 

^ (pure • r|[_]) * • (y'U • x^) E return • x^ 


Figure 6: Classical, Kleisli, and constructive Galois connections. 


5.4 Powerset Monad in Agda 

The powerset monad has unit return, where return x is the set of all 
elements smaller than x, as defined by a characteristic function: 

return : V |A : POSet) ^ A ^ A » 
return = mk[=>] {A x ^ rnk[fj] {Ay —> y Qx)) 

We lift the return operation to functions, which we call pure. 

pure : V (A B : POSet) ^ (A B) A ^ p B » 
pure = mk[^] (A / —» mk[^] (A x —> return • (/ • x))) 

Monadic extension is *. 

V|AB: POSet) ^«A^f)B))^«frA=s. 8 jB» 
f * = mk[=»] (A X —» mk[s3] {A y 3 x st {x e X) x y e f ■ x)) 

We use _* to define Kleisli composition, <j> : 

: V |A B C : POSet) B ^ p C)) ^ p B)} ^ p C)) 

g<^f= mk[=»] {Ax^ g*-{f ■ x)) 

Finally, we prove (and omit) monads laws analogous to those in 
lemma 7. 

6. Calculational Abstract Interpretation in Agda 

We show Agda types for classical, Kleisli and constructive Galois 
connections in figure 6. Using these definitions we calculate an 
abstract interpreter in Agda following the constructive approach 
described in section 4 in the following steps: 

1. Define a constructive Galois connection between env and envK 


2. Lift (1) and a parameterized Galois connection for val pointwise 
to the monotonic function space. 

3. Induce the specification for an abstraction of a monadic seman¬ 
tic function eval"‘[e] as a‘~'"‘^{eval"'[eY). 

4. Calculate over a‘^~‘ ’’{eval’” [e]) until we arrive at a pure function 
pnre{eval"‘^[e]). 

5. Lift the relationship a‘^'"’’{eval’’‘[e]) C pure(eval"‘^[e]) to the 
classical abstraction of function extensions a^‘^’"’’^'{eval"' [e\*) C 
pure{eval'”'^[e\)* through a mechanized proof of soundness of 
Kleisli Galois connections w.r.t. classical. 


6.1 Abstracting Environments in Agda 

We define a constructive Galois connection between env and env# 
rather than Kleisli because it results in nicer definitions. First we 
parameterize by an abstraction for values, which we do with an 
Agda module: 

module §-envli {vafi : POSet) {^val'^ : f)' val vafi) where 

Abstract environments take the form of another list-like inductive 
datatype: 

data envH : size — » Set where 
[] : envii Zero 

: V jL) —» va0 )) ^ env^ F —> env^ (SucL) 

JJ# : V ID —> env*^ r —> var F vai^ )) 

(v^ p) [ Zero = till 
(til* p)[ Sue x]'^ = p [x]'^ 

The ordering for env# is the pointwise ordering: 

data : V |T) —> env^i F —» env^i F —» Set where 

[] : [] [] 

V |r) |pi p2 ■ env^r) |tii V 2 ] 

^ til E ti 2 ^ Pi p 2 (fi :: Pi) (f 2 :: P 2 ) 

The environment abstraction function if is the pointwise applica¬ 
tion of pi D val ^ ]: 

p" : V (T) —> env T —» env^ F 

f [] = [] 

rf (nv. p) = p[ ^val-^ ]■ fin) ::rf p 

The concretization function y"® is the pointwise concretization of 
yU ^ val ill ]: 

data _6y'_ ■ IT) env T —> env^i F —> Set where 

[] : [] 6y= [] 

: V jT) |p : envT) (pH : envH T) {n iiH) 

Hn) e y"! ^val'^ ] ■ ^ p ey" pH ^ (n :: p) ey" (ijH :: pH) 

The p" and _ e y^_ functions are sound and complete by point- 
wise applications of soundness and completness from ^ val 

sound"" : V (T) (p : envT) p ey" p" p 
sound"" n = [] 

sound"" {x .. p) = sound"! T^val'^ ] :: sound"" p 

complete"" : V (T) (p : envT) (pH) ^ p ey" p^ ^ rf p < p^ 

complete"" [] = [] 

complete"" (iiey[iiH] :: pey[pH]) = 

complete"! ] iiey!nH] :: complete"" pey!pH! 
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From these definitions, we construct env ^ : V jFl —» (env 
r) Tj-^y ‘\J (envl* F) using a helper function "f] for lifting 

primitive definitions (non-POSet) to Galois connections. 

^envi=t : V |F| —> ■(]■ (envF) 'fl' (env^^ F) 

i=tenvi=i = mk[i=t‘^'|'] rf {A p ^ p ey’^ p^) sound‘d® complete‘s® 

6.2 Inducing a Best Speciflcation in Agda 

The monadic semantics is encoded with the evaluation relation: 

evar[J : V (T) ^ expT ^ t (envT) => p (‘d val) » 
eval"^! e ] = mk['r=>] (A p —> mklfj'f] {A v —> p h e v)) 

To induce a best abstraction we first encode the pointwise lifting 
of two Kleisli Galois connections A and B to classical 
pointwise Galois connections over the monadic function space as 
A ^ ■' B ^). 

: V |Ai A2 Bi B2 : POSet) 

^ Ai A2 ^ Bi fl- B2 ^ (Ai ^ s>Bi) fl (A2 ^ 8JB2) 
_=>®fl-^_ |Ai) IA2) |Bi| IB2I flAfl flBfl = record 
I tt[J = mk[^] (A / ^ a-[ flBfl ] 0 f 0 y"'[ flAfl ]) 

; y[J = mkH] (A/# ^ y-[ flBfl ] O/# 0 «-[ flAfl ]) 

; extensive[_] = ... ; reductive[_] = ... ) 

We can now state the specification for evaTf e ] as a pure function 
which approximating a[ fl env fl=> '‘fl® fl val fl ] • evaTf e ]. 

6.3 Calculating the Interpreter, in Agda 

Before calculating we must lift the various semantic functions to 
the monotonic function space, like LF^ _[J and [Jl*: 

TLF : unary val => If val » 

lookup[_] : V (T) —> var T —» 1 } (env T) ^ 'jj' val )) 

lookupl^U : V IT) —> var -T —> {( ‘O' (env*^ r) val*^ » 

Our calculation will be parameterized by an abstraction for f LF* 

postulate 

TO"'* : unary ^ « val# ^ val#)) 

«[D"] ■ V |u ^’**1 ^ «[ T^valfl =>®fl®'’ flvalfl ] • (pure • TI u J®) • 

E pure • TI u I®# • 

We are now set up to calculate eval-l^[ e ] from its specification 
«[ fl env fl => '■fl® ■' fl val fl ] • eval-[ e ]. Because we want to 
“discover” eval-l^[ e ], rather than verify it a-posteriori, we state its 
existence and then calculate its implementation: 

eva|-l^[_] : V jT) —> exp T —> tT (env^^ T) =» val^^ )) 

We begin by stating the type of our calculation: 

alevar] : V IT) (e : expT) {p^ : {{ D (envl^ T)))) 

—» a[ flenvfl ^®fl®'' flvalfl ] • eva|-[ e ] • 

E return • (eva|-l^[ e] ■ p^) 

and proceed by induction, the first case being numeric expressions. 
Each case will make use of our “proof mode” library, which we have 
developed in pure Agda to support calculation-style notation. 

Numeric literals We begin by stating the goal. We do this using 
our proof mode library with notation [[J]: 

a[eval'-] (Num n) p^ = [proof—mode] 

do [[ a[ flenvfl ^®fl®'' flvalfl ] • eva|-[ Num ii ] • p^ ]] 


This state is defmitionally equal to the expansion of a[J: 

► [[ (pure • rj[ flvalfl ] <j> eva|-[ Num n ] <> y®[ flenvfl ]) • p^ ]] 
Next we unfold the definition of _ O _, also by Agda computation: 

► [[ (pure • p[ flvalfl ]) » • (evaT] Num n ] * • (}/®[ flenvfl ] • p^)) ]] 

The next step is to focus to the right of the application and replace 
eval-[ Num n ] * ■ R with its denotation return ■ 1 { n ), which we 
prove by an auxiliary lemma |3 - evar[Num]: 

► [focus—right [•[ of (pure • /|[ flvalfl [) * [ begin 
do [[ eval-] Num ii [ » • (y®] flenvfl [ • p^) [[ 

► I |3-evar[Num[ |R = y®[ flenvfl [ • p# ) 5[E] 

► [[ return •?(«>]] 
end 

► [[ (pure • rj] flvalfl [) » • (return • T< « » ]] 

Next we use the monad right-unit law to eliminate the application 
of an extension to a pure value: 

► I right-unit[»[[ pure • rj[ flvalfl [ [ 5[=:[ 

► [[ pure • p[ flvalfl ]•?<«>]] 

► [[ return • (p[ flvalfl ] • T< « » ]] 

It is at this point which we have reached a pure computation, absent 
of any specification effect. We declare this expression then to be the 
definition of eval-l^[ Num n [ and conclude: 

► [[ return • (eva|-l^[ Num « ] • p^) ]] ■ 

Variables The calculation for variables is more interesting, as it 
doesn’t ignore the environment y®[ fl env fl [ • p#. We begin again 
by stating the goal: 

a[eva|-[ (Varx) p^ = [proof-mode] 

do [[ a[ flenvfl =>®fl®'' flvalfl [ • eva|-[ Var f ] • p^ ]] 

As before, the first thing we do is unfold the definition of a] [: 

► [[ (pure • ij[ flvalfl [ <j> eva|-[ Var x [ 0 y®[ flenvfl [) • pi* [[ 

► [[ (pure • p[ flvalfl [) » • (evaT] Var x [ * • (y®[ flenvfl [ • p#)) [[ 

Next we focus to the right of the left-most, and left of the rightmost 
0 operator: 

► [focus—right [•[ of (pure • p[ flvalfl [) * [ begin 
do [[ evaT] Varf [ » • (y®] flenvfl [ • p5) [[ 

► [focus—left [•[ of y®[ flenvfl ] • pH ] begin 
do [[evaT] Varf [ »[[ 

Here we recognize that the specification for the semantics of Var 
f is equivalent to the computation of looking up a variable in the 
environment, using an auxiliary proof ji - Faexp[Var[: 

► [focus—in [»[ [ begin 
do [[eval-] Varf [[[ 

► T |3“eva|-[Var[ |x = f) 5[~] 

► [[ pure • lookup] x [ [[ 
end 

► [[ (pure • lookup] 1 ]) » ]] 
end 

Next we exploit the relationship between concrete environment 
lookup and abstract environment lookup: a[ flvalfl => ®fl® "' 
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val ] • (pure • lookup[ x ]) c pure • lookupl^[ x ]. To arrive at 
a[ val => ^ val ] • (pure • lookup[ x ]), we first reason 

by extensiveness of val 

► [[ (pure • lookupi x ]) » • (}/^[ ^envi=t ] • p^) ]] 

► ^ extensive‘^[»][ i=tvali=t ] 5 [C] 

► [[ y^[ <^val^ ] * • ((pure • /j[ i^val^ ]) * • 

((pure • lookupi x ]) » • {y^[ ] • p#))) ]] 

We identify the argument to the application as a[ env => 

^ val ] • (pure • lookup! ^ 1) and weaken by its abstraction: 

► [focus—right [•] of ^val^ct ] * ] begin 

do [[ (pure • p[ ^val^ ]) » • ((pure • lookup! 1) * ' (y'^! «=tenvi=t [ • 

► !! «! ^env^ ^val^ct [ • (pure • lookup! 1) ' 11 

► I a!lookup! |x = x] (pl^j 5!c! 

► !! pure • lookupl^! X ! • pi* !! 

► [! return • (lookupl*[ x ] ■ pH) [[ 
end 

► !! y'^! ^vali=t ! * • (return • (lookupl*! x ] ■ pH)) [[ 
end 

► !! (pure • p! ^val^ct [) * • (y'^! i=tvali=t [ » • (return • (lookupH) j [ • pH))) 
Finally we apply the reductive property of val 

► J reductive'^!*!! ictval^ct! 5 !E] 

► [! return • (lookupH) x ] ■ pH) ![ 

and declare the result as defining evalH) Var x ] and conclude: 


end 

We then reassociate. 

► !! (pure • TI 0 F O evar [ e [) » • (y^! i=»env^ [ • pH) ![ 

► I associative!*!! pare • TI o F / eval'"! e [, y"^! ^env^ct ] • pH ] 5!~] 

► !! (pure • TIoF) * • (evar!;;! * • (y""! ^env^ [ • pH)) [[ 

We focus to the argument of the application and apply extensiveness 
of (Ct val f±: 

► [focus—right !•[ of (pure • TI o F) * ] begin 
do !! eval"'! e ! * • (y"^! i=tenvi=i ! • pH) !! 

) ]] ^ I extensive‘s!*!! e^val^ci [ )!□! 

*■ [[ /[ <=tval^ ! * • ((pure • p! i^vali=t [) * • 

(eva^! e [ * • (y^! #env^ [ • pH))) [[ 

We recognize the argument to be «[ ^ env => '‘ict's “s ^ val [ • 
evais"! e [ • pH, which we can weaken to pure • evarH) e [ • pH from the 
inductive hypothesis: 

► [focus-right !•[ of y'S! ^val^ct [ * [ begin 

do !! (pure • p! ^vali=t [) * • (evaT [ e [ * • (y^! i:±envi=t [ • pH)) [[ 

► !! a[ i=ienv^ ^val^ci [ • eval"’! e ] • pH [[ 

► iiHm 

► !! pure • evals^H) e ]. pH ]] 

► !! return • (eval^sH) e ] • pH) ]] 
end 

► !! y's) i=tvali=t ! * • (return • (eval^sH) g ]. pH)) ]] 


► !! return • (evals^H) Var X [• pH) !! ■ 


Unary operators The calculation of unary operators is interesting 
because it leverages an inductive hypothesis for the calculation. 

alevais"! (Unary! o [ e) pH with a!eval"’! e pH 
... I IH = [proof—mode! 

do !! «! ^env^ct ^val^ct [ • evais"! Unary! o [ e [ • pH [[ 

In Agda, the with notation is a variation of let-binding which also 
performs dependent pattern matching refinements (although this 
example doesn’t use dependent pattern matching). We proceed as 
before by expanding the definition of «!_[. 

► !! (pure • p! ^val^ct [ <> evais"! Unary! o [ e [ <> y^! ^env^ [) • pH [[ 

► [[ (pure • p[ ^val^ [) * • 

(evais"! Unary! o [ e [ * • (y^! ^env^ct [ • pH)) [[ 

As before we focus between then _ 0 _s. 

► [focus—right !•[ of (pure • p! ^val^ct ]) * ] begin 
do !! eval"’! Unary! o [ e [ * • (y^! ^env^ct [ • pH) [[ 

► [focus—left !•[ of y'S! ^env^ct ] • pH ] begin 

do !! evaT! Unary! 0 ! e !* !! 

We then replace the evaT! Unary! o [ e [ specification with an equiv¬ 
alent computation', pure • T I o F- 


We apply the monad right unit to eliminate the extension: 

► I right-unit!*!! y'"! <=tval^ [ [ )!=:! 

► !!y^!^val^!-(evarH!e].pH)]] 
end 

► !! (pure • TI 0 F) * • (y'^! t^val^^ ! • (evarH! e ] • pH)) ]] 
end 

Next we recognize this as an abstraction of I ti F; for which we 
have parameterized the calculation: 

► !! (pure - pl^val^!)*- 

((pure • TI 0 F) * • (y'"! <^val^ [ • (evarH[ e ] . pH))) ]] 

► !! a[ ^valf± ^val^ [ • (pure • TI o F) • (evarH) e ]. pi) ]] 

► l«!IF])!E] 

► !! pure • TI oF*-(evarH) e]. pH)]] 

► !! return • (TI o F*' (evarH) g ]. pi)) ]] 

We declare the result to he the definition of eva|H and conclude: 

► !! return • (evarH) Unary) 0 ! e )• pH) !! , 

We can then define evarH as the result of calculation: 

evarH) Mum n ! = mk!=l'! (A pH ^ p[ ] • T{ n )) 

evarH) Var x ] = mk!=t'! (A pH —» lookupH) x ) • pH) 

evarH) Unary! u]e] = mk):^) (A pH ^ TI « F* ' (evarH) g ] . pi)) 


► [focus—in !*!! begin 

do !! evar) Unary) o ) e )!) 

► (|3-evar!Unary!5H 

► !! pure • TIo F 0 evar[e!!! 
end 

► !!(pure-TIoF Oevar!e!)*!! 


6.4 End to End: Connection to the Collecting Semantics 

Recall that the original collecting semantics we wish to abstract, 
eval, is the extension of the monadic semantics, aval"'*. To establish 
the final proof of abstraction, we promote the partial order of the 
previous section between monadic functions: 
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setting for soundness and completeness of abstractions between 
a[eval] : a[ ^vali=t ] • eval'"! e ] sets, purely by following tbe natural consequences of instantiating 

c pure • evarl^l e ] the Galois connection framework to the powerset Kleisli category. 


to a partial ordering between extended functions: 

a[eval*] : a{ (^env^=t (^val^=t ] • eval'"! e ] * 

E(pure-evarH[e])» 

where * ^ is the promotion operator from Kleisli to classical 

Galois connections, and => is the standard classical Galois 
connection pointwise lifting operator. 

We define * following the proof of inclusion from Kleisli 

Galois connections into classical Galois connections: 

: V |Ai A 2 : POSet) — > Ai A 2 —» (jJ Ai jj A 2 ) 

^A:^ = record 

I «□ = (pure • T][ ]) » 

; y[J = /[ ] » 

; extensive[_] = ... ; reductive[_] = ... ) 

and we prove soundness and completeness following the definitions 
given in section 7: 

sound/complete : 

V |Ai A 2 Bi B 2 : POSet) 

(^A^ : Ai A 2 ) {^Bt± : Bj B 2 ) 
(/:«Ai^8jBi»)(/#:«A2^SJB2») 

E /# • X#) 

(V X# ^ a[ ] • / » • X# 

E/#»-X#) 
sound/complete = ... 

a[eval*] is then defined as an application of the soundness direction 
of sound/complete: 

alevair"*] : V |r) (e : expT) {R '^: fJ ('O' (envl^ T))))) 

^ a[ {^envT± (i^val^ ] • evar [ e ] » • R# 

Elpure-evarUle])*-^# 
alevair"*] eR^ = 

Til (sound/complete ^env^ flval^ct eval'") e ] (pure • evair"#) e ])) 
(alevar] e) R^ 

The next section describes the soundness and completeness result 
which we rely on in this section in more detail, and develops the 
foundations of Kleisli Galois connections. 


7.1 Lifting Kleisli Galois Connections 

The final step of our calculational relies on bridging the gap between 
Kleisli and classical Galois connections. This bridge enables us to 
construct a Kleisli Galois connection 

env —> p{val) '■ > env^ —> p(vafi) 

and calculation C and lift both systemat¬ 

ically to classical results, and to do so without any loss of generality. 
We formalize these notions in the following theorems: 

Theorem 1 (GC-Soundness).'^ For every Kleisli Galois connection 


there exists a classical Galois connection 
9{A) p(B) 
where a* := a"‘* and y* := y'"*. 


Theorem 2 (GC-Completeness).'^ For every classical Galois con¬ 
nection 

p{A) P{B) 

where a and y are of the form a = a”'* and y = y"'*, there exists a 
Kleisli Galois connection 


Next we show how to lift Kleisli Galois connections pointwise to a 
classical Galois connection over extensions: 


Lemma 8 (Pointwise-lifting-extensions).’^ Given Kleisli Galois 
connections 


A, i: 


i: 


there exists a classical Galois connection 




p{A{) ^ p{Bi) i: 


9 (^ 2 ) '-*■ 9 (^ 2 ) 


where 

^ ^ #) := ynB of# „ ymA^ 

And finally we establish an isomorphism of partial ordering be¬ 
tween monadic functions and their extensions: 


7. Foundations of Kleisli Galois Connections 

Kleisli Galois connections are formed by re-targeting the classi¬ 
cal Galois connection framework from the category of posets to 
the powerset Kleisli category, where morphisms are monotonic 
monadic functions, as described in section 4.2. 

Unfolding the definition of extensive"' and reductive'" from sec¬ 
tion 4.2 we reveal equivalent, more intuitive properties, which we 
call soundness’" and completeness’": 

soundness’" : V(x).3(i/).i/ e a’"{x) A x e y’"{y) 
completeness’" : '^{x\,x\,x).x e y”’{xf) A e a’"{x) —> X 2 Q x{ 

These definitions provide a relational setup for the soundness 
and completeness of a"' and y"" . In fact, the model for the monadic 
space A —> p(B) is precisely A ^ B Set,^ i.e. monotonic 
relations over A and B. We have therefore recovered a relational 


Theorem 3 (Soundness).'^ Given Kleisli Galois connections 


A, 



Bi i: 


and functions f e Aj^ ^ p(Bi) and e A 2 ^ 9 (^ 2 )^ partial 
orders under the Kleisli pointwise lifting imply partial orders under 
extension: 


□ y# ^ C /G. 

Theorem 4 (Completeness).'^ Given Kleisli Galois connections 




Bi t 


and functions f e A^ ^ 9(Bi) cind p e A 2 ^ 9 (^ 2 ), partial or¬ 
ders under the Kleisli pointwise lifting for extensions imply partial 
orders without extension: 


* Here ^ denotes antitonic functions; Set is ordered by implication. 


c p* ^ C p. 
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7.2 Constructive Galois Connections 

Analogously to Kleisli Galois connection, we state extensiveness 
and reductiveness as equivalent soundness and completeness prop¬ 
erties: 

soundness : 'i{x).x e Y{ri{x)) 
completeness^ : 'i{x^,x).x e yix^) => r](x) C x^ 

These statements have even stronger intuitive meaning that that 
of Kleisli Galois connections, soundness'^ states that x must be in the 
concretization of its abstraction, and completeness‘s states that the 
best abstraction for x, i.e. t](x), must be better any other abstraction 
for X, i.e. x^. 

Constructive Galois connections are initially motivated by the 
need for pure abstraction functions during the process of calcula¬ 
tion, and simultaneously from the observation that abstraction func¬ 
tions are often pure function in practice. What is surprising is that 
constructive Galois connections are not a special case of Kleisli Ga¬ 
lois connections: all Kleisli Galois connections are constructive. 

Theorem 5.'^ The set of Kleisli Galois connections is isomorphic to 
the set of constructive Galois connections. 

Proof. The easy direction is constructing a Kleisli Galois connec¬ 
tion from a constructive Galois connection. Given a constructive 

y‘ 

Galois connection A ‘ ) B, we construct the following Kleisli 

Galois connection: 

a"': A ^ p(B) y"- : B ^ p(A) 

a"' = piire(Tj) y'" = 

Proofs for extensiveness and reductiveness follow defmitionally. 
The next step is to construct a Constructive Galois connection 

y” 

from a Kleisli Galois connection A ‘ > B. This at first seems 

a"' 

paradoxical, since it requires constructing an abstraction function 
Tj: A ^ B from the given abstraction 5/)eciyicatio« a’" : A —> p{B). 
However, we are able exploit the property of soundness’”, which 
is equivalent to extensive'”, from the definition of Kleisli Galois 
connections to define rj. 

Recall the soundness judgement for Kleisli Galois connections, 
which arise directly from the definition of return and 

soundness’” : 'i{x).3{y).y e a{x) Axe y(y) 

Given a proof of soundness’”, we use the axiom of choice to extract 
the existentially quantified y given an x. In fact, the axiom of choice 
is not an axiom in constructive logic, rather it is a theorem of choice, 
which can be written in Agda. 

choice : V (A B1 |P : A ^ B ^ Set) ^(Vx— »3j/stPxy)^A^B 
choice / X with / x 
...\3y ,,P[x,y\ = y 

Using the axiom of choice we easily define t] and y”. 

Tj e A B y” eB ^ p{A) 

ri{x) = y where {Ay : y e a’”(x) Axe y’”(y)) y” = y’” 

In order for rj and y” to be a valid Galois connection we must still 
prove extensiveness and reductiveness. To do so we instead prove 
soundness” and completeness”, which are equivalent to extensive” 
and reductive”. These proofs follow from the soundness evidence 
attached to rjjv) and its use of the axiom of choice. 

Lemma 9 (soundness”)/ 'i{x).x e y”{T]{x)). 

Lemma 10 (completeness”)/ 'i(x^,x).x e y”(x^) —> ri(x) C xK 


Finally, to establish the isomorphism, we show that transforming 
a Kleisli Galois connection into a constructive one and back results 
in the same Galois connection. To show this we apply the following 
lemma, a restatement of its classical analogue [19, p.239] in the 
Kleisli setting: 

Lemma 11 (Kleisli-Uniqueness).'^ Given two Kleisli Galois con- 

rT rf 

nections A < ^ > B and A < > B, of = af if and only if yf = yf 

To use this lemma, we recognize that the concretization func¬ 
tions y”' and y” are definitionally the same for both mappings be¬ 
tween Kleisli and constructive Galois connections. It then follows 
that a’” and pure(r]) must be equal. 

□ 

The consequence of the isomorphism between Kleisli and con¬ 
structive Galois connections is that we may work directly with con¬ 
structive Galois connections without any loss of generality. Fur¬ 
thermore, we can assume a pure “extraction function” t] for every 
Kleisli abstraction function a”' where a”' = pure(Tj). 

Finally, our proof of isomorphism gives a foundational explana¬ 
tion for why some Galois connections happen to have fully compu¬ 
tational functions as their abstraction functions. These pure abstrac¬ 
tion functions are no accident; they are induced by the Kleisli Galois 
connection setup embedded in constructive logic, where the axiom 
of choice is definable as a theorem with computational content. 

8. Related Work 

This work connects two long strands of research: abstract interpreta¬ 
tion and dependently typed programming. The former is founded on 
the pioneering work of Cousot and Cousot [9, 10]; the latter on that 
of Martin-L6f [15], embodied in Norell’s Agda [20]. A key techni¬ 
cal insight of ours is to use a monadic structure for Galois connec¬ 
tions and proofs by calculus, following the example of Moggi [18] 
for the A-calculus. 

Calculational abstract interpretation Cousot describes the calcu¬ 
lation approach to abstract interpretation by example in his lecture 
notes [8], the foundations for which can be found in [7], and recently 
introduced a unifying calculus for Galois connections [12]. Other 
notable uses of calculational abstract interpretation include the cal¬ 
culational derivation of higher order control flow analysis [16] and 
the calculation of polynomial time graph algorithms [23]. 

Our work mechanizes Cousot’s calculations, and provides a suit¬ 
able foundation for mechanizing other instances of calculational ab¬ 
stract interpretation. 

Calculational program design Related to the calculation of ab¬ 
stract interpreters is the calculation of programs, long advocated by 
Bird and others as calculational program design [2, 3]. 

Calculational program design has been successfully mechanized 
in proof assistants [26]. This practice does not encounter the non¬ 
constructive metatheory issues which show up in mechanizing cal¬ 
culational abstract interpreters. In mechanized calculational pro¬ 
gram design, specifications are fully constructive, whose inhabi¬ 
tants can be readily executed as programs. In abstract interpreta¬ 
tions the specifications are inherently non-constructive, which leads 
to the need for new theoretical machinery. 

Verified static analyses Verified abstract interpretation has seen 
many promising results [1, 4, 6, 22], scaling up recently to large- 
scale real-world static analyzers [14]. Mechanized abstract interpre¬ 
tation has yet to benefit from being built on a solid, compositional 
Galois connection framework. Until now approach have used either 
“a-only” or “y-only” encodings of soundness and (sometimes) com¬ 
pleteness. Our techniques for isolating specification effects should 
readily apply to these existing approaches. 
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Monadic abstract interpretation The use of monads in abstract 
interpretation has recently been used to good effect [13, 24], How¬ 
ever that work uses monads to structure the language semantics, 
whereas our approach has been to use monadic structure in the Ga¬ 
lois connections and proofs by calculus. 

Galculator The Calculator [25] is a proof assistant founded on an 
algebra of Galois connections. This tool is similar to ours in that it 
mechanically verifies Galois connection calculations; additionally 
it fully automates the calculational derivations themselves. Our ap¬ 
proach is more general, supporting arbitrary set-theoretic reason¬ 
ing and embeded within a general purpose proof assistant, however 
their approach is fully automated for the small set of derivations 
which reside within their supported theory. We foresee a marriage 
of the two approaches, where simple algebraic calculations are de¬ 
rived automatically, yet more complicated connections are still ex¬ 
pressible and provable within the same mechanized framework. 

Future directions Now that we have established a foundation for 
constructive Galois connection calculation, we see value in verify¬ 
ing larger derivations (e.g. [17, 23]). Furthermore we would like to 
explore whether or not our techniques have any benefit in the space 
of general-purpose program calculations a la Bird. 

There have also been recent developments on compositional ab¬ 
stract interpretation frameworks [13] where abstract interpreter im¬ 
plementations and their proofs of soundness via Galois connection 
are systematically derived side-by-side. Their framework relies on 
correctness properties transported by Galois transformers, which 
we believe would greatly benefit from mechanization, because they 
hold both computational and specification content. 

9. Conclusions 

Over fifteen years ago, when concluding ‘The calculational design 
of a generic abstract interpreter” [7, p. 85], Cousot wrote: 

The emphasis in these notes has been on the correctness of 
the design by calculus. The mechanized verification of this 
formal development using a proof assistant can be foreseen 
with automatic extraction of a correct program from its cor¬ 
rectness proof. 

This paper realizes that vision, giving the first mechanically verified 
proof of correctness for Cousot’s abstract interpreter. Our proof “by 
calculus” closely follows the original paper-and-pencil proof The 
primary discrepancy being the use of monadic reasoning to isolate 
specification effects. By maintaining this monadic discipline, we 
are able to verify calculations by Galois connections and extract 
computation content from pure results. The resulting static analyzer 
is correct by verified construction and therefore does not suffer from 
bugs present in the original.^ 
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